Dovecot

Aus SSLplus
Zur Navigation springen Zur Suche springen

Einrichtung von SSL für den Dovecot IMAP/POP3 Server

Erzeugen des CSR

Für die Anforderung eines SSL Zertifikates ist es notwendig einen CSR (Certificate Signing Request/Zertifikatsanforderung) zu erzeugen.

Die kann per SSH oder über eine direkt Konsole auf dem Server erfolgen:

<source lang=bash> openssl req -new -newkey rsa:2048 -keyout /etc/ssl/private/domain.de.key -out /home/user/csr.txt -nodes </source>

Besitzt man bereits ein Schlüsselpaar kann der CSR auch folgender Maßen erzeugt werden:

<source lang=bash> openssl req -new -key /etc/ssl/private/domain.de.key -out /home/user/csr.txt </source>

Anpassen der Konfiguration

Je nach Distribution sind die Konfigurationsdateien etwas anders Strukturiert. So werden bei Debian 7.x und Dovecot 2.x die Dateien unterhalb von /etc/dovecot/conf.d in verschiedenen Dateien gepflegt.

Die Parameter sind jedoch, egal in welcher Datei Sie schlussendlich zu finden sind, die gleichen.

<source lang=bash>

  1. SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>

ssl = yes

  1. PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
  2. dropping root privileges, so keep the key file unreadable by anyone but
  3. root. Included doc/mkcert.sh can be used to easily generate self-signed
  4. certificate, just make sure to update the domains in dovecot-openssl.cnf

ssl_cert = </etc/ssl/certs/www.vsadmin.de.crt ssl_key = </etc/ssl/private/www.vsadmin.de.key

  1. If key file is password protected, give the password here. Alternatively
  2. give it when starting dovecot with -p parameter. Since this file is often
  3. world-readable, you may want to place this setting instead to a different
  4. root owned 0600 file by using ssl_key_password = <path.
  5. ssl_key_password =
  1. PEM encoded trusted certificate authority. Set this only if you intend to use
  2. ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
  3. followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)

ssl_ca = </etc/ssl/certs/COMODO_DV.crt

  1. Require that CRL check succeeds for client certificates.
  2. ssl_require_crl = yes
  1. Request client to send a certificate. If you also want to require it, set
  2. auth_ssl_require_client_cert=yes in auth section.
  3. ssl_verify_client_cert = no
  1. Which field from certificate to use for username. commonName and
  2. x500UniqueIdentifier are the usual choices. You'll also need to set
  3. auth_ssl_username_from_cert=yes.
  4. ssl_cert_username_field = commonName
  1. How often to regenerate the SSL parameters file. Generation is quite CPU
  2. intensive operation. The value is in hours, 0 disables regeneration
  3. entirely.
  4. ssl_parameters_regenerate = 168
  1. SSL protocols to use

ssl_protocols = !SSLv2

  1. SSL ciphers to use

ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

  1. SSL crypto device to use, for valid values run "openssl engine"
  2. ssl_crypto_device =

</source>

Weiterführende Links

Abgerufen von „https://www.sslplus.de/wiki/index.php?title=Dovecot&oldid=1196